VERT Threat Alert: September 2015 Patch Tuesday Analysis

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-632 on Wednesday, September 9th.

MS15-094

Up first this month, we have an Internet Explorer update that resolves a number of vulnerabilities including one publicly disclosed vulnerability. The most interesting element of this update would be CVE-2015-2493, a vulnerability in the VBScript and JScript engines.

Normally, a vulnerability in these components in the IE update would mean a second Windows update to resolve the standalone VBScript and JScript implementations. The lack of this update means one of two things: that the vulnerability exists in the code that integrates VBScript and JScript into Internet Explorer or that a bulletin resolving this issue in VBScript and JScript was withheld and may be coming at a later date.

MS15-095

Up next, we have an update for Microsoft Edge, which includes a number of CVEs from the Internet Explorer bulletin. This overlap includes CVE-2015-2542, the vulnerability that has been publicly disclosed.

MS15-096

This bulletin describes a denial of service in Active Directory that could allow an authenticated user to create multiple machine accounts. Upon creating multiple machine accounts, the AD service could become non-responsive.

MS15-097

Lately, no month is complete without an update to various system drivers, including font drivers. This month is no exception, with OpenType fonts, the Windows kernel-mode driver, and the Windows kernel affected. This bulletin provides a great opportunity to remind Windows 10 users that your updates are all or nothing, you can’t pick and choose as Microsoft provides one massive cumulative update for all Windows 10 security issues.

MS15-098

Every so often the Windows Journal makes an appearance, just as it does in MS15-098. At this point, the majority of users could simply remove the journal file associations as it’s a seldom-used application and reducing the system attack surface is always beneficial.

MS15-099

The final double-digit bulletin of the year belongs to Microsoft Office resolving issues with Office, Excel, and SharePoint Foundation 2013.

MS15-100

Much like MS15-098, MS15-100 is code execution in a file type that most users seldom use. The Media Center link file (.mcl) is the culprit this time and if you’re not making use of Media Center, you could remove this file type association as well.

MS15-101

Next, we have a pair of vulnerabilities in .NET. The denial of service applies to web servers with ASP.NET applications but the elevation of privilege could be exploited using a malicious web-based application or a desktop application.

MS15-102

Three vulnerabilities in Windows Task management are next on the list. One of these vulnerabilities exists within the Task Scheduler, while the other two have to do with Windows impersonation levels. All three vulnerabilities require that the attacker have access to the system in order to elevate their privileges.

MS15-103

Microsoft Exchange, specifically the OWA interface, fails to properly handle data leading to three vulnerabilities. The first is a failure to properly handle web requests, which can lead to stacktrace disclosure, while the other two are related to the sanitization of email, which could allow spoofing.

MS15-104

The penultimate update this month resolves a trio of XSS vulnerabilities that affect Microsoft Lync Server and Skype for Business Server. All three attacks require that the user click on a malicious URL.

MS15-105

The final bulletin this month resolves a bypass that exists within the Hyper-V ACLs that could allow an attacker to bypass network traffic restrictions.

Additional Details

Adobe has released APSB15-022 to address multiple vulnerabilities in Adobe Shockwave Player.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.